Methods and apparatuses for distributing data packets to a multiplicity of service nodes are commonly used in so-called cluster systems providing services to a large number of clients. A particular well-known example is so-called server farms providing web services to the Internet.
Originally the transmission control protocol and the Internet protocol (TCP/IP) did not provide any method for packet authentication or encryption. The most popular application level protocol, the hypertext transport protocol (HTTP) also does not provide any security mechanisms.
With the growing importance of web services such as e-commerce and e-business, a great need for secure Internet communication has arisen. To overcome the lack of security, various protocols for including security mechanisms like authentication and encryption were designed for the different layers of the TCP/IP protocol stack.
The secure socket layer (SSL) protocol is an extra layer, added between the transport layer, managing connections between two computers, and the application layer and provides transparent authentication and encryption to higher level protocols. In practice, however, it is only commonly used in combination with the HTTP protocol, which is then referred to as secure HTTP or HTTP over SSL (HTTPS).
Because of the relatively high overhead in terms of processing performance it is only used for a few types of applications such as online banking and electronic payment systems. In order to spread the use of secure communication on the Internet to other applications and application protocols, the IP security (IPsec) standard integrates authentication and encryption directly into the network layer. To this end, an additional packet header is introduced which is placed immediately after the IP header comprising the source and destination address of the packet. The additional header is placed before the TCP or UDP header of the transport layer, which comprises, among other data, the source and destination port number of the packet. The additional IPsec header can comprise either an authentication header (AH) or an encapsulated secure payload (ESP) header or both. In the case where encryption is used, the data following the ESP header is encrypted, including the data contained in a subsequent UDP or TCP header.
Encryption can be used in two different modes called tunnel mode and transport mode, respectively. In tunnel mode, the entire data packet to be transmitted over a network is encrypted and included in a new data packet as payload. In transport mode, only the content of the original data packet is encrypted, but some of its header information, particularly the IP header comprising source and destination address and the ESP header comprising encryption information remain unencrypted.
If such a partially encrypted data packet is received by a single server, the decryption of the packet's content takes place before the packet is passed to the transport layer and processing can proceed in the same way as without encryption.
If the IP packet is received by a cluster system, however, data packets are usually distributed to different service nodes of the cluster for further processing. In order to decide which packet is to be processed by what service node, a packet analyzer usually scans the headers of the received packets for service information, such as the port number or application protocol. This information, however, is not available at the network layer in case of an encrypted IPsec packet. Consequently, IPsec is currently not used in cluster systems identified by a common virtual address, but always directed to a physical address of a single server. This has the disadvantage that the scalability and reliability of cluster systems currently cannot be used in combination with the security offered by the IPsec standard.